xgp
commented
5 months ago This question should be in https://github.com/p2-inc/keycloak-orgs
Restrictions like this are currently left to the application, as there's no internal function in the extension controlling the method of membership.
My guess is that we will leverage attributes to build a custom auth flow?
This is one approach that we've seen work.
verified-domains
This can both be used in custom logic, and is already used in the "home idp discovery" authenticator to route logins to external, organization-owned identity providers, and do automatic membership for users that authenticate with an organization-owned idp during the post broker flow.
I am hoping that creating a ticket here is the right place.
PhaseTwo's extensions provides a mechanism for invitations, which can be used in place of user self-registration.
However in our use case some organizations might require invitations, others might allow self-registration (some might however require the domain to match a specific list).
So fundamentally I wonder what is the best practice pattern to handle such organization differences while using a single realm?
My guess is that we will leverage attributes to build a custom auth flow?
I saw a hint in that general direction here (and I assume we could leverage this domains configuration to also limit self-registration to specific domains): https://phasetwo.io/docs/organizations/identity-providers#verified-domains